Table showing fields from excluded events after he...

plapila · ‎04-25-2024

Is this intended behavior?

After selecting only a single event with "head 1" fields from excluded events that occurred at the same time can be seen in a table when using wildcards in example "table _time,tags.* values.*"

bowesmana · ‎04-25-2024

Yes, unfortunately this is the way it works - I have never fully worked out why this is the case - but most of the time it doesn't really matter as - I have used techniques to solve this where I needed to only get the fields that pertained to the particular event, but that involved quite a bit of other work

You can do something simple like

search bla
| transpose 0
| where isnotnull('row 1')
| transpose 0 header_field=column
| fields - column

If this is just about data investigation and looking for things.

Give us more on any use case where this is an issue and we can see if there is a way to solve it.

yuanliu · ‎04-25-2024

OK, I can see what you mean now. And I can confirm with this emulation

| makeresults format=csv data="a,b,c,d
va,vb
,,vc,vd"
| head 1

a	b	c	d
va	vb

With little information from its official documentation, I can argue either way as to this is a feature or a bug. But you must have a use case in mind. How will head be used in your application, and what is your expected result?

plapila · ‎04-25-2024

Screencaptures for clarification

plapila · ‎04-25-2024

yuanliu · ‎04-25-2024

You need to qualify your question with dataset (mockup or sanitized), SPL, and results. I cannot reproduce what you described based on my mind-reading of your question. But you must not rely on volunteers reading your mind. (It is never good to force people to read your mind.)

Table showing fields from excluded events after head

fields

table

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector